CAT II script GEN000580 sets password min length to 8

fcaviggia / hardening-script-el6

DISA STIG/USGCB/NSA SNAC Hardening Scripts for Red Hat Enterprise Linux 6

GNU General Public License v2.0

200 stars 83 forks source link

CAT II script GEN000580 sets password min length to 8 #17

Closed ghost closed 10 years ago

ghost commented 10 years ago

It's my understanding that RHEL-06-000050 requires a minimum password of 14. The login.defs file in the config folder has the correct setting but script GEN000580.sh does not.

fcaviggia commented 10 years ago

Sorry it's been a bit to respond, I've been on my honeymoon. I updated the script to ensure 12 characters as a minimum due to the fact that some organizations/agencies have shorter passwords with higher complexity. The actual value for the script is set set in the 'config/login.defs' file.

edkhalaf commented 10 years ago

DISA is 14 for user accounts and 15 for system accounts. NRO is 12. On Sep 22, 2014 10:58 PM, "wamacdonald" notifications@github.com wrote:

It's my understanding that RHEL-06-000050 requires a minimum password of

The login.defs file in the config folder has the correct setting but script GEN000580.sh does not.

— Reply to this email directly or view it on GitHub https://github.com/RedHatGov/stig-fix-el6/issues/17.

fcaviggia commented 10 years ago

Exactly, that's why I'll ensure that it's a minimum of 12 - I'll let the user specify the length in the 'config/logins.def'

dokuhebi commented 10 years ago

Shouldn't it be set to the worse case scenario, since that meets all the requirements? If the number is set to 15, it'll be compliant to all the standards out of the box, and users can still change their settings.

Also, If it's set to 15, users will immediately notice that their settings are too strict, while setting it to 12 will not cause a user to realize that it's not 14 or 15.

My two cents,

Tom Albrecht

Sent via the Samsung GALAXY S® 5, an AT&T 4G LTE smartphone

-------- Original message -------- From: Frank Caviggia notifications@github.com Date:10/05/2014 11:39 AM (GMT-05:00) To: RedHatGov/stig-fix-el6 stig-fix-el6@noreply.github.com Cc:
Subject: Re: [stig-fix-el6] CAT II script GEN000580 sets password min length to 8 (#17)

Exactly, that's why I'll ensure that it's a minimum of 12 - I'll let the user specify the length in the 'config/logins.def'

— Reply to this email directly or view it on GitHub.

fcaviggia commented 10 years ago

I'm leaving that up to the customer - modify the config/login.defs and roll the RPM - that over writes the setting - my scripts that I'm putting together for RHEL 7 are going to be more focused on distributing the configuration files versus the remediation scripts.

shawndwells commented 10 years ago

On 10/5/14, 10:03 PM, Frank Caviggia wrote:

my scripts that I'm putting together for RHEL 7 are going to be more focused on distributing the configuration files versus the remediation scripts.

why will scripts be created for RHEL7?

The STIG has remediation baked in -- why is there a need to continue forking away from the content Red Hat and the Government puts out?

fcaviggia commented 10 years ago

Shawn,

Just to distribute config files out of the box for RHEL 7 from a standalone DVD - I'll be using the SSG to maintain those files.

-Frank